On 06/07/2021 16:01, Shawn McKinney wrote:
On Jul 5, 2021, at 1:18 PM, Stefan Seelmann <[email protected]> wrote:
I found one weird thing: the fortress-rest-2.0.6.war contains in
WEB-INF/lib the jboss-rmi-api_1.0_spec-1.0.6.Final.jar.
That jar does not appear on a test machine using JDK 8.
Reading the ticket, it’s JDK 11 specific, which is what I used to build the
release.
This is either
GPL/LGPL licensed, the git repo includes no license file, the pom.xml
mentions LGPL [1], the license file within the JAR states GPL+CPE.
But this is a transitive dependency from
org.apache.cxf:cxf-core:jar:3.4.4, defined in it's parent pom [2], so if
they include it as dependency it must be ok, right?
Depends on if trust is transitive. Do we trust that CXF project did their due
diligence?
This is irrelevant.
Whatever due diligence CXF did, as soon as we know that there is a
GPL/LGPL dependency, we can't cut a release with it in our packages.
The simple fact it's a transitive dependency is not protecting us here.
The question is: do we *need* this dependency?
If so, then do we have a way to release a package that does not contain
it, and explain the user they have to add it themselves would they need it ?
FTR, in Mina, we release a package that optionally would require a
dependency on the rxtx library, which is GPL. Obviously, we can't add
this dependency in our package, so we tell the user that they can
compile the code using a -Pserial flag to incorporate the lib, which is
*not* packaged by us otherwise.
This way, what we release cannot 'contaminate' the user without their
knowledge.
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
[email protected] https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
